12 years agoMerge branch 'master' of git://
David S. Miller [Tue, 11 May 2010 05:53:41 +0000 (22:53 -0700)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-2.6

12 years agonet: Fix FDDI and TR config checks in ipv4 arp and LLC.
David S. Miller [Mon, 10 May 2010 11:59:07 +0000 (04:59 -0700)]
net: Fix FDDI and TR config checks in ipv4 arp and LLC.

Need to check both CONFIG_FOO and CONFIG_FOO_MODULE

Signed-off-by: David S. Miller <>
12 years agoIPv4: unresolved multicast route cleanup
Andreas Meissner [Mon, 10 May 2010 11:47:49 +0000 (04:47 -0700)]
IPv4: unresolved multicast route cleanup

Fixes the expiration timer for unresolved multicast route entries.
In case new multicast routing requests come in faster than the
expiration timeout occurs (e.g. zap through multicast TV streams), the
timer is prevented from being called at time for already existing entries.

As the single timer is resetted to default whenever a new entry is made,
the timeout for existing unresolved entires are missed and/or not
updated. As a consequence new requests are denied when the limit of
unresolved entries has been reached because old entries live longer than
they are supposed to.

The solution is to reset the timer only for the first unresolved entry
in the multicast routing cache. All other timers are already set and
updated correctly within the timer function itself by now.

Signed-off by: Andreas Meissner <>
Signed-off-by: David S. Miller <>
12 years agomac80211: remove association work when processing deauth request
Reinette Chatre [Tue, 4 May 2010 23:04:49 +0000 (16:04 -0700)]
mac80211: remove association work when processing deauth request

In a user encountered the

[18967.469098] wlan0: authenticated
[18967.472527] wlan0: associate with 00:1c:10:b8:e3:ea (try 1)
[18967.472585] wlan0: deauthenticating from 00:1c:10:b8:e3:ea by local choice (reason=3)
[18967.672057] wlan0: associate with 00:1c:10:b8:e3:ea (try 2)
[18967.872357] wlan0: associate with 00:1c:10:b8:e3:ea (try 3)
[18968.072960] wlan0: association with 00:1c:10:b8:e3:ea timed out
[18968.076890] ------------[ cut here ]------------
[18968.076898] WARNING: at net/wireless/mlme.c:341 cfg80211_send_assoc_timeout+0xa8/0x140()
[18968.076900] Hardware name: GX628
[18968.076924] Pid: 1408, comm: phy0 Not tainted 2.6.34-rc4-00082-g250541f-dirty #3
[18968.076926] Call Trace:
[18968.076931]  [<ffffffff8103459e>] ?  warn_slowpath_common+0x6e/0xb0
[18968.076934]  [<ffffffff8157c2d8>] ?  cfg80211_send_assoc_timeout+0xa8/0x140
[18968.076937]  [<ffffffff8103ff8b>] ? mod_timer+0x10b/0x180
[18968.076940]  [<ffffffff8158f0fc>] ?  ieee80211_assoc_done+0xbc/0xc0
[18968.076943]  [<ffffffff81590d53>] ?  ieee80211_work_work+0x553/0x11c0
[18968.076945]  [<ffffffff8102d931>] ? finish_task_switch+0x41/0xb0
[18968.076948]  [<ffffffff81590800>] ?  ieee80211_work_work+0x0/0x11c0
[18968.076951]  [<ffffffff810476fb>] ? worker_thread+0x13b/0x210
[18968.076954]  [<ffffffff8104b6b0>] ?  autoremove_wake_function+0x0/0x30
[18968.076956]  [<ffffffff810475c0>] ? worker_thread+0x0/0x210
[18968.076959]  [<ffffffff8104b21e>] ? kthread+0x8e/0xa0
[18968.076962]  [<ffffffff810031f4>] ?  kernel_thread_helper+0x4/0x10
[18968.076964]  [<ffffffff8104b190>] ? kthread+0x0/0xa0
[18968.076966]  [<ffffffff810031f0>] ?  kernel_thread_helper+0x0/0x10
[18968.076968] ---[ end trace 8aa6265f4b1adfe0 ]---

As explained by Johannes Berg <>:

We authenticate successfully, and then userspace requests association.
Then we start that process, but the AP doesn't respond. While we're
still waiting for an AP response, userspace asks for a deauth. We do
the deauth, but don't abort the association work. Then once the
association work times out we tell cfg80211, but it no longer wants
to know since for all it is concerned we accepted the deauth that
also kills the association attempt.

Fix this by, upon receipt of deauth request, removing the association work
and continuing to send the deauth.

Unfortunately the user reporting the issue is not able to reproduce this
problem anymore and cannot verify this fix. This seems like a well understood
issue though and I thus present the patch.

Bug-identified-by: Johannes Berg <>
Signed-off-by: Reinette Chatre <>
Signed-off-by: John W. Linville <>
12 years agoar9170: wait for asynchronous firmware loading
Christian Lamparter [Thu, 29 Apr 2010 15:53:33 +0000 (17:53 +0200)]
ar9170: wait for asynchronous firmware loading

This patch fixes a regression introduced by the following patch:
"ar9170: load firmware asynchronously"

When we kick off a firmware loading request and then unbind,
or disconnect the usb device right away, we get into trouble:

> ------------[ cut here ]------------
> WARNING: at lib/kref.c:44 kref_get+0x1c/0x20()
> Hardware name: 18666GU
> Modules linked in: ar9170usb [...]
> Pid: 6588, comm: firmware/ar9170 Not tainted 2.6.34-rc5-wl #43
> Call Trace:
> [<c102b05e>] ? warn_slowpath_common+0x6e/0xb0
> [<c117c93c>] ? kref_get+0x1c/0x20
> [<c102b0b3>] ? warn_slowpath_null+0x13/0x20
> [<c117c93c>] ? kref_get+0x1c/0x20
> [<c117bb2f>] ? kobject_get+0xf/0x20
> [<c124d630>] ? get_device+0x10/0x20
> [<c124e5a0>] ? device_add+0x60/0x530
> [<c117b8b5>] ? kobject_init+0x25/0xa0
> [<c12569f9>] ? _request_firmware+0x139/0x3e0
> [<c1256cc0>] ? request_firmware_work_func+0x20/0x70
> [<c1256ca0>] ? request_firmware_work_func+0x0/0x70
> [<c103ff24>] ? kthread+0x74/0x80
> [<c103feb0>] ? kthread+0x0/0x80
> [<c1003136>] ? kernel_thread_helper+0x6/0x10
>---[ end trace 2d50bd818f64a1b7 ]---
- followed by a random Oops -

Avoid that by waiting for the firmware loading to finish
(whether successfully or not) before the unbind in

Reported-by: Johannes Berg <>
Bug-fixed-by: Johannes Berg <>
Signed-off-by: Christian Lamparter <>
Signed-off-by: John W. Linville <>
12 years agoipv4: udp: fix short packet and bad checksum logging
Bjørn Mork [Thu, 6 May 2010 03:44:34 +0000 (03:44 +0000)]
ipv4: udp: fix short packet and bad checksum logging

commit 2783ef23 moved the initialisation of saddr and daddr after
pskb_may_pull() to avoid a potential data corruption.  Unfortunately
also placing it after the short packet and bad checksum error paths,
where these variables are used for logging.  The result is bogus
output like

[92238.389505] UDP: short packet: From 23715/178 to

Moving the saddr and daddr initialisation above the error paths, while still
keeping it after the pskb_may_pull() to keep the fix from commit 2783ef23.

Signed-off-by: Bjørn Mork <>
Acked-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
12 years agophy: Fix initialization in micrel driver.
David S. Miller [Thu, 6 May 2010 10:15:59 +0000 (03:15 -0700)]
phy: Fix initialization in micrel driver.

Missing name string in ks8001_driver, so we crash on register.

Reported-by: Ingo Molnar <>
Tested-by: Ingo Molnar <>
Signed-off-by: David S. Miller <>
12 years agosctp: Fix a race between ICMP protocol unreachable and connect()
Vlad Yasevich [Thu, 6 May 2010 07:56:07 +0000 (00:56 -0700)]
sctp: Fix a race between ICMP protocol unreachable and connect()

ICMP protocol unreachable handling completely disregarded
the fact that the user may have locked the socket.  It proceeded
to destroy the association, even though the user may have
held the lock and had a ref on the association.  This resulted
in the following:

Attempt to release alive inet socket f6afcc00

[ BUG: held lock freed! ]
somenu/2672 is freeing memory f6afcc00-f6afcfff, with a lock still held
 (sk_lock-AF_INET){+.+.+.}, at: [<c122098a>] sctp_connect+0x13/0x4c
1 lock held by somenu/2672:
 #0:  (sk_lock-AF_INET){+.+.+.}, at: [<c122098a>] sctp_connect+0x13/0x4c

stack backtrace:
Pid: 2672, comm: somenu Not tainted 2.6.32-telco #55
Call Trace:
 [<c1232266>] ? printk+0xf/0x11
 [<c1038553>] debug_check_no_locks_freed+0xce/0xff
 [<c10620b4>] kmem_cache_free+0x21/0x66
 [<c1185f25>] __sk_free+0x9d/0xab
 [<c1185f9c>] sk_free+0x1c/0x1e
 [<c1216e38>] sctp_association_put+0x32/0x89
 [<c1220865>] __sctp_connect+0x36d/0x3f4
 [<c122098a>] ? sctp_connect+0x13/0x4c
 [<c102d073>] ? autoremove_wake_function+0x0/0x33
 [<c12209a8>] sctp_connect+0x31/0x4c
 [<c11d1e80>] inet_dgram_connect+0x4b/0x55
 [<c11834fa>] sys_connect+0x54/0x71
 [<c103a3a2>] ? lock_release_non_nested+0x88/0x239
 [<c1054026>] ? might_fault+0x42/0x7c
 [<c1054026>] ? might_fault+0x42/0x7c
 [<c11847ab>] sys_socketcall+0x6d/0x178
 [<c10da994>] ? trace_hardirqs_on_thunk+0xc/0x10
 [<c1002959>] syscall_call+0x7/0xb

This was because the sctp_wait_for_connect() would aqcure the socket
lock and then proceed to release the last reference count on the
association, thus cause the fully destruction path to finish freeing
the socket.

The simplest solution is to start a very short timer in case the socket
is owned by user.  When the timer expires, we can do some verification
and be able to do the release properly.

Signed-off-by: Vlad Yasevich <>
Signed-off-by: David S. Miller <>
12 years agoveth: Dont kfree_skb() after dev_forward_skb()
Eric Dumazet [Thu, 6 May 2010 07:53:53 +0000 (00:53 -0700)]
veth: Dont kfree_skb() after dev_forward_skb()

In case of congestion, netif_rx() frees the skb, so we must assume
dev_forward_skb() also consume skb.

Bug introduced by commit 445409602c092
(veth: move loopback logic to common location)

We must change dev_forward_skb() to always consume skb, and veth to not
double free it.

Bug report :

Reported-by: Martín Ferrari <>
Signed-off-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
12 years agoIPv6: fix IPV6_RECVERR handling of locally-generated errors
Brian Haley [Mon, 3 May 2010 15:44:27 +0000 (15:44 +0000)]
IPv6: fix IPV6_RECVERR handling of locally-generated errors

I noticed when I added support for IPV6_DONTFRAG that if you set
IPV6_RECVERR and tried to send a UDP packet larger than 64K to an
IPv6 destination, you'd correctly get an EMSGSIZE, but reading from
MSG_ERRQUEUE returned the incorrect address in the cmsg:

struct msghdr:
 msg_name         0x7fff8f3c96d0
 msg_namelen      28
struct sockaddr_in6:
 sin6_family      10
 sin6_port        7639
 sin6_flowinfo    0
 sin6_addr        ::ffff:
 sin6_scope_id    0  ((null))

It should have returned this in my case:

struct msghdr:
 msg_name         0x7fffd866b510
 msg_namelen      28
struct sockaddr_in6:
 sin6_family      10
 sin6_port        7639
 sin6_flowinfo    0
 sin6_addr        2620:0:a09:e000:21f:29ff:fe57:f88b
 sin6_scope_id    0  ((null))

The problem is that ipv6_recv_error() assumes that if the error
wasn't generated by ICMPv6, it's an IPv4 address sitting there,
and proceeds to create a v4-mapped address from it.

Change ipv6_icmp_error() and ipv6_local_error() to set skb->protocol
to htons(ETH_P_IPV6) so that ipv6_recv_error() knows the address
sitting right after the extended error is IPv6, else it will
incorrectly map the first octet into an IPv4-mapped IPv6 address
in the cmsg structure returned in a recvmsg() call to obtain
the error.

Signed-off-by: Brian Haley <>
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to
More majordomo info at
Signed-off-by: David S. Miller <>
12 years agonet/gianfar: drop recycled skbs on MTU change
Sebastian Andrzej Siewior [Tue, 4 May 2010 22:30:47 +0000 (22:30 +0000)]
net/gianfar: drop recycled skbs on MTU change

The size for skbs which is added to the recycled list is using the
current descriptor size which is current MTU. gfar_new_skb() is also
using this size. So after changing or alteast increasing the MTU all
recycled skbs should be dropped.

Signed-off-by: Sebastian Andrzej Siewior <>
Acked-by: Andy Fleming <>
Signed-off-by: David S. Miller <>
12 years agoFEC: Fix kernel panic in fec_set_mac_address.
Mattias Walström [Wed, 5 May 2010 07:55:48 +0000 (00:55 -0700)]
FEC: Fix kernel panic in fec_set_mac_address.

Fix memory corruption that sometimes result in kernel panic.

Signed-off-by: Mattias Walström <>
Signed-off-by: David S. Miller <>
12 years agoipv6: Fix default multicast hops setting.
David S. Miller [Tue, 4 May 2010 06:42:27 +0000 (23:42 -0700)]
ipv6: Fix default multicast hops setting.

As per RFC 3493 the default multicast hops setting
for a socket should be "1" just like ipv4.

Ironically we have a IPV6_DEFAULT_MCASTHOPS macro
it just wasn't being used.

Reported-by: Elliot Hughes <>
Signed-off-by: David S. Miller <>
12 years agonet: ep93xx_eth stops receiving packets
David S. Miller [Tue, 4 May 2010 06:21:27 +0000 (23:21 -0700)]
net: ep93xx_eth stops receiving packets

Receiving small packet(s) in a fast pace leads to not receiving any
packets at all after some time.

After ethernet packet(s) arrived the receive descriptor is incremented
by the number of frames processed. If another packet arrives while
processing, this is processed in another call of ep93xx_rx. This
second call leads that too many receive descriptors getting released.

This fix increments, even in these case, the right number of processed
receive descriptors.

Signed-off-by: Stefan Agner <>
Acked-by: Lennert Buytenhek <>
Signed-off-by: David S. Miller <>
12 years agodrivers/net/phy: micrel phy driver
David J. Choi [Thu, 29 Apr 2010 06:12:41 +0000 (06:12 +0000)]
drivers/net/phy: micrel phy driver

This is the first version of phy driver from Micrel Inc.

Signed-off-by: David J. Choi <>
Signed-off-by: David S. Miller <>
12 years agodm9601: fix phy/eeprom write routine
Peter Korsgaard [Mon, 3 May 2010 10:01:26 +0000 (10:01 +0000)]
dm9601: fix phy/eeprom write routine

Use correct bit positions in DM_SHARED_CTRL register for writes.

Michael Planes recently encountered a 'KY-RS9600 USB-LAN converter', which
came with a driver CD containing a Linux driver. This driver turns out to
be a copy of dm9601.c with symbols renamed and my copyright stripped.
That aside, it did contain 1 functional change in dm_write_shared_word(),
and after checking the datasheet the original value was indeed wrong
(read versus write bits).

On Michaels HW, this change bumps receive speed from ~30KB/s to ~900KB/s.
On other devices the difference is less spectacular, but still significant

Reported-by: Michael Planes <>
Signed-off-by: Peter Korsgaard <>
Signed-off-by: David S. Miller <>
12 years agoppp_generic: handle non-linear skbs when passing them to pppd
Simon Arlott [Mon, 3 May 2010 10:20:27 +0000 (10:20 +0000)]
ppp_generic: handle non-linear skbs when passing them to pppd

Frequently when using PPPoE with an interface MTU greater than 1500,
the skb is likely to be non-linear. If the skb needs to be passed to
pppd then the skb data must be read correctly.

The previous commit fixes an issue with accidentally sending skbs
to pppd based on an invalid read of the protocol type. When that
error occurred pppd was reading invalid skb data too.

Signed-off-by: Simon Arlott <>
Signed-off-by: David S. Miller <>
12 years agoppp_generic: pull 2 bytes so that PPP_PROTO(skb) is valid
Simon Arlott [Mon, 3 May 2010 10:19:33 +0000 (10:19 +0000)]
ppp_generic: pull 2 bytes so that PPP_PROTO(skb) is valid

In ppp_input(), PPP_PROTO(skb) may refer to invalid data in the skb.

If this happens and (proto >= 0xc000 || proto == PPP_CCPFRAG) then
the packet is passed directly to pppd.

This occurs frequently when using PPPoE with an interface MTU
greater than 1500 because the skb is more likely to be non-linear.

The next 2 bytes need to be pulled in ppp_input(). The pull of 2
bytes in ppp_receive_frame() has been removed as it is no longer

Signed-off-by: Simon Arlott <>
Signed-off-by: David S. Miller <>
12 years agonet: fix compile error due to double return type in SOCK_DEBUG
Jan Engelhardt [Sun, 2 May 2010 20:42:39 +0000 (13:42 -0700)]
net: fix compile error due to double return type in SOCK_DEBUG

Fix this one:
include/net/sock.h: error: two or more data types in declaration specifiers

Signed-off-by: Jan Engelhardt <>
Signed-off-by: David S. Miller <>
12 years agonet/usb: initiate sync sequence in sierra_net.c driver
Elina Pasheva [Wed, 28 Apr 2010 13:28:24 +0000 (13:28 +0000)]
net/usb: initiate sync sequence in sierra_net.c driver

The following patch adds the initiation of the sync sequence to
"sierra_net_bind()". If this step is omitted, the modem will never sync up
with the host and it will not be possible to establish a data connection.

Signed-off-by: Elina Pasheva <>
Signed-off-by: Rory Filer <>
Tested-by: Elina Pasheva <>
Signed-off-by: David S. Miller <>
12 years agonet/usb: remove default in Kconfig for sierra_net driver
Elina Pasheva [Sat, 1 May 2010 02:05:28 +0000 (19:05 -0700)]
net/usb: remove default in Kconfig for sierra_net driver

The following patch removes the default from the Kconfig entry for sierra_net
driver as recommended.

Signed-off-by: Elina Pasheva <>
Signed-off-by: Rory Filer <>
Signed-off-by: David S. Miller <>
12 years agor8169: Fix rtl8169_rx_interrupt()
Eric Dumazet [Fri, 30 Apr 2010 23:20:39 +0000 (16:20 -0700)]
r8169: Fix rtl8169_rx_interrupt()

In case a reset is performed, rtl8169_rx_interrupt() is called from
process context instead of softirq context. Special care must be taken
to call appropriate network core services (netif_rx() instead of
netif_receive_skb()). VLAN handling also corrected.

Reported-by: Sergey Senozhatsky <>
Tested-by: Sergey Senozhatsky <>
Diagnosed-by: Oleg Nesterov <>
Signed-off-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
12 years agoiwlwifi: work around passive scan issue
Johannes Berg [Fri, 30 Apr 2010 21:42:15 +0000 (14:42 -0700)]
iwlwifi: work around passive scan issue

Some firmware versions don't behave properly when
passive scanning is requested on radar channels
without enabling active scanning on receiving a
good frame. Work around that issue by asking the
firmware to only enable the active scanning after
receiving a huge number of good frames, a number
that can never be reached during our dwell time.

Signed-off-by: Johannes Berg <>
Signed-off-by: Reinette Chatre <>
12 years agoMerge branch 'master' of git://
David S. Miller [Fri, 30 Apr 2010 19:54:15 +0000 (12:54 -0700)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-2.6

12 years agoe1000e: Fix oops caused by ASPM patch.
Anton Blanchard [Wed, 28 Apr 2010 21:46:06 +0000 (21:46 +0000)]
e1000e: Fix oops caused by ASPM patch.

Commit 6f461f6c7c961f0b1b73c0f27becf472a0ac606b
("e1000e: enable/disable ASPM L0s and L1 and ERT according to hardware errata")
oopses on one of my ppc64 boxes with a NULL pointer (0x4a):

Unable to handle kernel paging request for data at address 0x0000004a
Faulting instruction address: 0xc0000000004d2f1c
cpu 0xe: Vector: 300 (Data Access) at [c000000bec1833a0]
    pc: c0000000004d2f1c: .e1000e_disable_aspm+0xe0/0x150
    lr: c0000000004d2f0c: .e1000e_disable_aspm+0xd0/0x150
   dar: 4a

[c000000bec1836d0c00000000069b9d8 .e1000_probe+0x84/0xe8c
[c000000bec1837b0c000000000386d90 .local_pci_probe+0x4c/0x68
[c000000bec183840c0000000003872ac .pci_device_probe+0xfc/0x148
[c000000bec183900c000000000409e8c .driver_probe_device+0xe4/0x1d0
[c000000bec1839a0c00000000040a024 .__driver_attach+0xac/0xf4
[c000000bec183a40c000000000409124 .bus_for_each_dev+0x9c/0x10c
[c000000bec183b00c000000000409c1c .driver_attach+0x40/0x60
[c000000bec183b90c0000000004085dc .bus_add_driver+0x150/0x328
[c000000bec183c40c00000000040a58c .driver_register+0x100/0x1c4
[c000000bec183cf0c00000000038764c .__pci_register_driver+0x78/0x128

Seems like pdev->bus->self == NULL. I haven't touched pci in a long time
so I'm trying to remember what this means (no pcie bridge perhaps?)

The patch below fixes the oops for me.

Signed-off-by: Anton Blanchard <>
Reviewed-by: Bruce Allan <>
Signed-off-by: David S. Miller <>
12 years agonet/sb1250: register mdio bus in probe
Sebastian Siewior [Wed, 28 Apr 2010 09:57:01 +0000 (09:57 +0000)]
net/sb1250: register mdio bus in probe

"ifconfig eth0 up && ifconfig eth0 down" triggers:
| kobject (a8000000cfa5a480): tried to init an initialized object, something is seriously wrong.
| Call Trace:
| [<ffffffff8010aabc>] dump_stack+0x8/0x34
| [<ffffffff80293128>] kobject_init+0xe8/0xf0
| [<ffffffff802d922c>] device_initialize+0x2c/0x98
| [<ffffffff802d9cfc>] device_register+0x14/0x28
| [<ffffffff80312cd4>] mdiobus_register+0xdc/0x1e0
| [<ffffffff80314cf0>] sbmac_open+0x58/0x220
| [<ffffffff803519bc>] __dev_open+0x11c/0x180
| [<ffffffff8034d578>] __dev_change_flags+0x120/0x180
| [<ffffffff80351848>] dev_change_flags+0x20/0x78
| [<ffffffff803a753c>] devinet_ioctl+0x7cc/0x820
| [<ffffffff80339ac8>] sock_do_ioctl+0x38/0x90
| [<ffffffff8033a258>] compat_sock_ioctl_trans+0x408/0x1030
| [<ffffffff8033af30>] compat_sock_ioctl+0xb0/0xd0
| [<ffffffff80208b08>] compat_sys_ioctl+0xa0/0x18b8
| [<ffffffff80102f94>] handle_sys+0x114/0x130
| sb1250-mac-mdio: probed

mdiobus_register() calls device_register() which initializes the kobj of
the device. mdiobus_unregister() calls only device_del() so we have one
reference left. That one is leaving with mdiobus_free() which is only
called on remove.
Since I don't see any reason why mdiobus_register()/mdiobus_unregister()
should happen in ->open()/->close() I move them to probe & exit.

Signed-off-by: Sebastian Andrzej Siewior <>
Signed-off-by: David S. Miller <>
12 years agosctp: Fix skb_over_panic resulting from multiple invalid parameter errors (CVE-2010...
Neil Horman [Wed, 28 Apr 2010 10:30:59 +0000 (10:30 +0000)]
sctp: Fix skb_over_panic resulting from multiple invalid parameter errors (CVE-2010-1173) (v4)

Ok, version 4

Change Notes:
1) Minor cleanups, from Vlads notes


Recently, it was reported to me that the kernel could oops in the
following way:

<5> kernel BUG at net/core/skbuff.c:91!
<5> invalid operand: 0000 [#1]
<5> Modules linked in: sctp netconsole nls_utf8 autofs4 sunrpc iptable_filter
ip_tables cpufreq_powersave parport_pc lp parport vmblock(U) vsock(U) vmci(U)
vmxnet(U) vmmemctl(U) vmhgfs(U) acpiphp dm_mirror dm_mod button battery ac md5
ipv6 uhci_hcd ehci_hcd snd_ens1371 snd_rawmidi snd_seq_device snd_pcm_oss
snd_mixer_oss snd_pcm snd_timer snd_page_alloc snd_ac97_codec snd soundcore
pcnet32 mii floppy ext3 jbd ata_piix libata mptscsih mptsas mptspi mptscsi
mptbase sd_mod scsi_mod
<5> CPU:    0
<5> EIP:    0060:[<c02bff27>]    Not tainted VLI
<5> EFLAGS: 00010216   (2.6.9-89.0.25.EL)
<5> EIP is at skb_over_panic+0x1f/0x2d
<5> eax: 0000002c   ebx: c033f461   ecx: c0357d96   edx: c040fd44
<5> esi: c033f461   edi: df653280   ebp: 00000000   esp: c040fd40
<5> ds: 007b   es: 007b   ss: 0068
<5> Process swapper (pid: 0, threadinfo=c040f000 task=c0370be0)
<5> Stack: c0357d96 e0c29478 00000084 00000004 c033f461 df653280 d7883180
<5>        00000000 00000080 df653490 00000004 de4f1ac0 de4f1ac0 00000004
<5>        00000001 e0c2877a 08000800 de4f1ac0 df653490 00000000 e0c29d2e
<5> Call Trace:
<5>  [<e0c29478>] sctp_addto_chunk+0xb0/0x128 [sctp]
<5>  [<e0c2947d>] sctp_addto_chunk+0xb5/0x128 [sctp]
<5>  [<e0c2877a>] sctp_init_cause+0x3f/0x47 [sctp]
<5>  [<e0c29d2e>] sctp_process_unk_param+0xac/0xb8 [sctp]
<5>  [<e0c29e90>] sctp_verify_init+0xcc/0x134 [sctp]
<5>  [<e0c20322>] sctp_sf_do_5_1B_init+0x83/0x28e [sctp]
<5>  [<e0c25333>] sctp_do_sm+0x41/0x77 [sctp]
<5>  [<c01555a4>] cache_grow+0x140/0x233
<5>  [<e0c26ba1>] sctp_endpoint_bh_rcv+0xc5/0x108 [sctp]
<5>  [<e0c2b863>] sctp_inq_push+0xe/0x10 [sctp]
<5>  [<e0c34600>] sctp_rcv+0x454/0x509 [sctp]
<5>  [<e084e017>] ipt_hook+0x17/0x1c [iptable_filter]
<5>  [<c02d005e>] nf_iterate+0x40/0x81
<5>  [<c02e0bb9>] ip_local_deliver_finish+0x0/0x151
<5>  [<c02e0c7f>] ip_local_deliver_finish+0xc6/0x151
<5>  [<c02d0362>] nf_hook_slow+0x83/0xb5
<5>  [<c02e0bb2>] ip_local_deliver+0x1a2/0x1a9
<5>  [<c02e0bb9>] ip_local_deliver_finish+0x0/0x151
<5>  [<c02e103e>] ip_rcv+0x334/0x3b4
<5>  [<c02c66fd>] netif_receive_skb+0x320/0x35b
<5>  [<e0a0928b>] init_stall_timer+0x67/0x6a [uhci_hcd]
<5>  [<c02c67a4>] process_backlog+0x6c/0xd9
<5>  [<c02c690f>] net_rx_action+0xfe/0x1f8
<5>  [<c012a7b1>] __do_softirq+0x35/0x79
<5>  [<c0107efb>] handle_IRQ_event+0x0/0x4f
<5>  [<c01094de>] do_softirq+0x46/0x4d

Its an skb_over_panic BUG halt that results from processing an init chunk in
which too many of its variable length parameters are in some way malformed.

The problem is in sctp_process_unk_param:
if (NULL == *errp)
*errp = sctp_make_op_error_space(asoc, chunk,

if (*errp) {
sctp_init_cause(*errp, SCTP_ERROR_UNKNOWN_PARAM,

When we allocate an error chunk, we assume that the worst case scenario requires
that we have chunk_hdr->length data allocated, which would be correct nominally,
given that we call sctp_addto_chunk for the violating parameter.  Unfortunately,
we also, in sctp_init_cause insert a sctp_errhdr_t structure into the error
chunk, so the worst case situation in which all parameters are in violation
requires chunk_hdr->length+(sizeof(sctp_errhdr_t)*param_count) bytes of data.

The result of this error is that a deliberately malformed packet sent to a
listening host can cause a remote DOS, described in CVE-2010-1173:

I've tested the below fix and confirmed that it fixes the issue.  We move to a
strategy whereby we allocate a fixed size error chunk and ignore errors we don't
have space to report.  Tested by me successfully

Signed-off-by: Neil Horman <>
Acked-by: Vlad Yasevich <>
Signed-off-by: David S. Miller <>
12 years agosfc: Change falcon_probe_board() to fail for unsupported boards
Ben Hutchings [Wed, 28 Apr 2010 09:01:50 +0000 (09:01 +0000)]
sfc: Change falcon_probe_board() to fail for unsupported boards

The driver needs specific PHY and board support code for each SFC4000
board; there is no point trying to continue if it is missing.
Currently unsupported boards can trigger an 'oops'.

Signed-off-by: Ben Hutchings <>
Signed-off-by: David S. Miller <>
12 years agosfc: Always close net device at the end of a disabling reset
Ben Hutchings [Wed, 28 Apr 2010 09:01:33 +0000 (09:01 +0000)]
sfc: Always close net device at the end of a disabling reset

This fixes a regression introduced by commit
eb9f6744cbfa97674c13263802259b5aa0034594 "sfc: Implement ethtool
reset operation".

Signed-off-by: Ben Hutchings <>
Signed-off-by: David S. Miller <>
12 years agosfc: Wait at most 10ms for the MC to finish reading out MAC statistics
Ben Hutchings [Wed, 28 Apr 2010 09:00:35 +0000 (09:00 +0000)]
sfc: Wait at most 10ms for the MC to finish reading out MAC statistics

The original code would wait indefinitely if MAC stats DMA failed.

Signed-off-by: Ben Hutchings <>
Signed-off-by: David S. Miller <>
12 years agosctp: Fix oops when sending queued ASCONF chunks
Vlad Yasevich [Wed, 28 Apr 2010 08:47:22 +0000 (08:47 +0000)]
sctp: Fix oops when sending queued ASCONF chunks

When we finish processing ASCONF_ACK chunk, we try to send
the next queued ASCONF.  This action runs the sctp state
machine recursively and it's not prepared to do so.

kernel BUG at kernel/timer.c:790!
invalid opcode: 0000 [#1] SMP
last sysfs file: /sys/module/ipv6/initstate
Modules linked in: sha256_generic sctp libcrc32c ipv6 dm_multipath
uinput 8139too i2c_piix4 8139cp mii i2c_core pcspkr virtio_net joydev
floppy virtio_blk virtio_pci [last unloaded: scsi_wait_scan]

Pid: 0, comm: swapper Not tainted 2.6.34-rc4 #15 /Bochs
EIP: 0060:[<c044a2ef>] EFLAGS: 00010286 CPU: 0
EIP is at add_timer+0xd/0x1b
EAX: cecbab14 EBX: 000000f0 ECX: c0957b1c EDX: 03595cf4
ESI: cecba800 EDI: cf276f00 EBP: c0957aa0 ESP: c0957aa0
 DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
Process swapper (pid: 0, ti=c0956000 task=c0988ba0 task.ti=c0956000)
 c0957ae0 d1851214 c0ab62e4 c0ab5f26 0500ffff 00000004 00000005 00000004
<0> 00000000 d18694fd 00000004 1666b892 cecba800 cecba800 c0957b14
<0> c0957b94 d1851b11 ceda8b00 cecba800 cf276f00 00000001 c0957b14
Call Trace:
 [<d1851214>] ? sctp_side_effects+0x607/0xdfc [sctp]
 [<d1851b11>] ? sctp_do_sm+0x108/0x159 [sctp]
 [<d1863386>] ? sctp_pname+0x0/0x1d [sctp]
 [<d1861a56>] ? sctp_primitive_ASCONF+0x36/0x3b [sctp]
 [<d185657c>] ? sctp_process_asconf_ack+0x2a4/0x2d3 [sctp]
 [<d184e35c>] ? sctp_sf_do_asconf_ack+0x1dd/0x2b4 [sctp]
 [<d1851ac1>] ? sctp_do_sm+0xb8/0x159 [sctp]
 [<d1863334>] ? sctp_cname+0x0/0x52 [sctp]
 [<d1854377>] ? sctp_assoc_bh_rcv+0xac/0xe1 [sctp]
 [<d1858f0f>] ? sctp_inq_push+0x2d/0x30 [sctp]
 [<d186329d>] ? sctp_rcv+0x797/0x82e [sctp]

Tested-by: Wei Yongjun <>
Signed-off-by: Yuansong Qiao <>
Signed-off-by: Shuaijun Zhang <>
Signed-off-by: Vlad Yasevich <>
Signed-off-by: David S. Miller <>
12 years agosctp: fix to calc the INIT/INIT-ACK chunk length correctly is set
Wei Yongjun [Wed, 28 Apr 2010 08:47:21 +0000 (08:47 +0000)]
sctp: fix to calc the INIT/INIT-ACK chunk length correctly is set

When calculating the INIT/INIT-ACK chunk length, we should not
only account the length of parameters, but also the parameters
zero padding length, such as AUTH HMACS parameter and CHUNKS
parameter. Without the parameters zero padding length we may get
following oops.

skb_over_panic: text:ce2068d2 len:130 put:6 head:cac3fe00 data:cac3fe00 tail:0xcac3fe82 end:0xcac3fe80 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:127!
invalid opcode: 0000 [#2] SMP
last sysfs file: /sys/module/aes_generic/initstate
Modules linked in: authenc ......

Pid: 4102, comm: sctp_darn Tainted: G      D    2.6.34-rc2 #6
EIP: 0060:[<c0607630>] EFLAGS: 00010282 CPU: 0
EIP is at skb_over_panic+0x37/0x3e
EAX: 00000078 EBX: c07c024b ECX: c07c02b9 EDX: cb607b78
ESI: 00000000 EDI: cac3fe7a EBP: 00000002 ESP: cb607b74
 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process sctp_darn (pid: 4102, ti=cb607000 task=cabdc990 task.ti=cb607000)
 c07c02b9 ce2068d2 00000082 00000006 cac3fe00 cac3fe00 cac3fe82 cac3fe80
<0> c07c024b cac3fe7c cac3fe7a c0608dec ca986e80 ce2068d2 00000006 0000007a
<0> cb8120ca ca986e80 cb812000 00000003 cb8120c4 ce208a25 cb8120ca cadd9400
Call Trace:
 [<ce2068d2>] ? sctp_addto_chunk+0x45/0x85 [sctp]
 [<c0608dec>] ? skb_put+0x2e/0x32
 [<ce2068d2>] ? sctp_addto_chunk+0x45/0x85 [sctp]
 [<ce208a25>] ? sctp_make_init+0x279/0x28c [sctp]
 [<c0686a92>] ? apic_timer_interrupt+0x2a/0x30
 [<ce1fdc0b>] ? sctp_sf_do_prm_asoc+0x2b/0x7b [sctp]
 [<ce202823>] ? sctp_do_sm+0xa0/0x14a [sctp]
 [<ce2133b9>] ? sctp_pname+0x0/0x14 [sctp]
 [<ce211d72>] ? sctp_primitive_ASSOCIATE+0x2b/0x31 [sctp]
 [<ce20f3cf>] ? sctp_sendmsg+0x7a0/0x9eb [sctp]
 [<c064eb1e>] ? inet_sendmsg+0x3b/0x43
 [<c04244b7>] ? task_tick_fair+0x2d/0xd9
 [<c06031e1>] ? sock_sendmsg+0xa7/0xc1
 [<c0416afe>] ? smp_apic_timer_interrupt+0x6b/0x75
 [<c0425123>] ? dequeue_task_fair+0x34/0x19b
 [<c0446abb>] ? sched_clock_local+0x17/0x11e
 [<c052ea87>] ? _copy_from_user+0x2b/0x10c
 [<c060ab3a>] ? verify_iovec+0x3c/0x6a
 [<c06035ca>] ? sys_sendmsg+0x186/0x1e2
 [<c042176b>] ? __wake_up_common+0x34/0x5b
 [<c04240c2>] ? __wake_up+0x2c/0x3b
 [<c057e35c>] ? tty_wakeup+0x43/0x47
 [<c04430f2>] ? remove_wait_queue+0x16/0x24
 [<c0580c94>] ? n_tty_read+0x5b8/0x65e
 [<c042be02>] ? default_wake_function+0x0/0x8
 [<c0604e0e>] ? sys_socketcall+0x17f/0x1cd
 [<c040264c>] ? sysenter_do_call+0x12/0x22
Code: 0f 45 de 53 ff b0 98 00 00 00 ff b0 94 ......
EIP: [<c0607630>] skb_over_panic+0x37/0x3e SS:ESP 0068:cb607b74

To reproduce:

# modprobe sctp
# echo 1 > /proc/sys/net/sctp/addip_enable
# echo 1 > /proc/sys/net/sctp/auth_enable
# sctp_test -H 3ffe:501:ffff:100:20c:29ff:fe4d:f37e -P 800 -l
# sctp_darn -H 3ffe:501:ffff:100:20c:29ff:fe4d:f37e -P 900 -h -p 800 -I -s -t
sctp_darn ready to send...
3ffe:501:ffff:100:20c:29ff:fe4d:f37e:900- Interactive mode> bindx-add=
3ffe:501:ffff:100:20c:29ff:fe4d:f37e:900- Interactive mode> bindx-add=
3ffe:501:ffff:100:20c:29ff:fe4d:f37e:900- Interactive mode> snd=10

eth0 has addresses: 3ffe:501:ffff:100:20c:29ff:fe4d:f37e and
eth1 has addresses:

Reported-by: George Cheimonidis <>
Signed-off-by: Wei Yongjun <>
Signed-off-by: Vlad Yasevich <>
Signed-off-by: David S. Miller <>
12 years agosctp: per_cpu variables should be in bh_disabled section
Vlad Yasevich [Wed, 28 Apr 2010 08:47:20 +0000 (08:47 +0000)]
sctp: per_cpu variables should be in bh_disabled section

Since the change of the atomics to percpu variables, we now
have to disable BH in process context when touching percpu variables.

Signed-off-by: Vlad Yasevich <>
Signed-off-by: David S. Miller <>
12 years agosctp: fix potential reference of a freed pointer
Vlad Yasevich [Wed, 28 Apr 2010 08:47:19 +0000 (08:47 +0000)]
sctp: fix potential reference of a freed pointer

When sctp attempts to update an assocition, it removes any
addresses that were not in the updated INITs.  However, the loop
may attempt to refrence a transport with address after removing it.

Signed-off-by: Vlad Yasevich <>
Signed-off-by: David S. Miller <>
12 years agosctp: avoid irq lock inversion while call sk->sk_data_ready()
Wei Yongjun [Wed, 28 Apr 2010 08:47:18 +0000 (08:47 +0000)]
sctp: avoid irq lock inversion while call sk->sk_data_ready()

sk->sk_data_ready() of sctp socket can be called from both BH and non-BH
contexts, but the default sk->sk_data_ready(), sock_def_readable(), can
not be used in this case. Therefore, we have to make a new function
sctp_data_ready() to grab sk->sk_data_ready() with BH disabling.

[ INFO: possible irq lock inversion dependency detected ]
2.6.33-rc6 #129
sctp_darn/1517 just changed the state of lock:
 (clock-AF_INET){++.?..}, at: [<c06aab60>] sock_def_readable+0x20/0x80
but this lock took another, SOFTIRQ-unsafe lock in the past:

and interrupts could create inverse lock ordering between them.

other info that might help us debug this:
1 lock held by sctp_darn/1517:
 #0:  (sk_lock-AF_INET){+.+.+.}, at: [<cdfe363d>] sctp_sendmsg+0x23d/0xc00 [sctp]

Signed-off-by: Wei Yongjun <>
Signed-off-by: Vlad Yasevich <>
Signed-off-by: David S. Miller <>
12 years agoRevert "tcp: bind() fix when many ports are bound"
David S. Miller [Wed, 28 Apr 2010 18:25:59 +0000 (11:25 -0700)]
Revert "tcp: bind() fix when many ports are bound"

This reverts two commits:

tcp: bind() fix when many ports are bound

and a follow-on fix for it:

ipv6: Fix inet6_csk_bind_conflict()

It causes problems with binding listening sockets when time-wait
sockets from a previous instance still are alive.

It's too late to keep fiddling with this so late in the -rc
series, and we'll deal with it in net-next-2.6 instead.

Signed-off-by: David S. Miller <>
12 years agonet/usb: add sierra_net.c driver
Elina Pasheva [Wed, 28 Apr 2010 01:06:41 +0000 (18:06 -0700)]
net/usb: add sierra_net.c driver

Re-submitted based on comments from netdev community.
Summary of the changes:
1. Improved error handling.
2. Added the missing timeout arguments to usb_control_msg().

The following is a new Linux driver which exposes certain models of Sierra
Wireless modems to the operating system as Network Interface Cards (NICs).

This driver requires a version of the sierra.c driver which supports
blacklisting to work properly. The blacklist in sierra.c rejects the interfaces
claimed by sierra_net.c. Likewise, the sierra_net.c driver only accepts
(i.e. whitelists) the interface(s) used for USB-to-WWAN traffic.
The version of sierra.c which supports blacklisting is
available from the sierra wireless knowledge base page for older kernels. It is
also available in Linux kernel starting from version 2.6.31.

This driver works with all Sierra Wireless devices configured with PID=68A3
like USB305, USB306 provided the corresponding firmware version is I2.0
(for USB305) or M3.0 (for USB306) and later.
This driver will not work with earlier firmware versions than the ones shown
above. In this case the driver will issue an error message indicating
incompatibility and will not serve the device's USB-to-WWAN interface.

Sierra_net.c sits atop a pre-existing Linux driver called usbnet.c.
A series of hook functions are provided in sierra_net.c which are called by
usbnet.c in response to a particular condition such as receipt or transmission
of a data packet. As such, usbnet.c does most of the work of making
a modem appear to the system as a network device and for properly exchanging
traffic between the USB subsystem and the Network card interface.
Sierra_net.c is concerned with managing the data exchanged between the
USB-to-WWAN interface and the upper layers of the operating system.

Signed-off-by: Elina Pasheva <>
Signed-off-by: Rory Filer <>
Signed-off-by: David S. Miller <>
12 years agocdc_ether: fix autosuspend for mbm devices
Torgny Johansson [Wed, 28 Apr 2010 00:07:40 +0000 (17:07 -0700)]
cdc_ether: fix autosuspend for mbm devices

Autosuspend works until you bring the wwan interface up, then the
device does not enter autosuspend anymore.

The following patch fixes the problem by setting the .manage_power
field in the mbm_info struct to the same as in the cdc_info struct

Signed-off-by: Torgny Johansson <>
Signed-off-by: David S. Miller <>
12 years agobluetooth: handle l2cap_create_connless_pdu() errors
Dan Carpenter [Wed, 21 Apr 2010 23:52:01 +0000 (23:52 +0000)]
bluetooth: handle l2cap_create_connless_pdu() errors

l2cap_create_connless_pdu() can sometimes return ERR_PTR(-ENOMEM) or

Signed-off-by: Dan Carpenter <>
Acked-by: Marcel Holtmann <>
Signed-off-by: David S. Miller <>
12 years agogianfar: Wait for both RX and TX to stop
Andy Fleming [Tue, 27 Apr 2010 23:43:31 +0000 (16:43 -0700)]
gianfar: Wait for both RX and TX to stop

When gracefully stopping the controller, the driver was continuing if
*either* RX or TX had stopped.  We need to wait for both, or the
controller could get into an invalid state.

Signed-off-by: Andy Fleming <>
Signed-off-by: David S. Miller <>
12 years agoipheth: potential null dereferences on error path
Dan Carpenter [Mon, 26 Apr 2010 23:20:12 +0000 (23:20 +0000)]
ipheth: potential null dereferences on error path

The calls to usb_free_buffer() dereference rx_urb and tx_urb in the
parameter list but those could be NULL.

Signed-off-by: Dan Carpenter <>
Acked-by: L. Alberto Giménez <>
Signed-off-by: David S. Miller <>
12 years agosmc91c92_cs: spin_unlock_irqrestore before calling smc_interrupt()
Ken Kawasaki [Sat, 24 Apr 2010 10:37:09 +0000 (10:37 +0000)]
smc91c92_cs: spin_unlock_irqrestore before calling smc_interrupt()

  * spin_unlock_irqrestore before calling smc_interrupt() in media_check()
     to avoid lockup.
  * use spin_lock_irqsave for ethtool function.

Signed-off-by: Ken Kawasaki <>
Signed-off-by: David S. Miller <>
12 years agodrivers/usb/net/kaweth.c: add device "Allied Telesyn AT-USB10 USB Ethernet Adapter"
Andreas Hartmann [Tue, 27 Apr 2010 21:39:33 +0000 (14:39 -0700)]
drivers/usb/net/kaweth.c: add device "Allied Telesyn AT-USB10 USB Ethernet Adapter"

akpm: reluctantly typed in from

Signed-off-by: Andrew Morton <>
Signed-off-by: David S. Miller <>
12 years agobnx2: Update version to 2.0.9.
Michael Chan [Tue, 27 Apr 2010 11:28:11 +0000 (11:28 +0000)]
bnx2: Update version to 2.0.9.

Signed-off-by: Michael Chan <>
Signed-off-by: David S. Miller <>
12 years agobnx2: Prevent "scheduling while atomic" warning with cnic, bonding and vlan.
Michael Chan [Tue, 27 Apr 2010 11:28:10 +0000 (11:28 +0000)]
bnx2: Prevent "scheduling while atomic" warning with cnic, bonding and vlan.

The bonding driver calls ndo_vlan_rx_register() while holding bond->lock.
The bnx2 driver calls bnx2_netif_stop() to stop the rx handling while
changing the vlgrp.  The call also stops the cnic driver which sleeps
while the bond->lock is held and cause the warning.

This code path only needs to stop the NAPI rx handling while we are
changing the vlgrp.  Since no reset is going to occur, there is no need
to stop cnic in this case.  By adding a parameter to bnx2_netif_stop()
to skip stopping cnic, we can avoid the warning.

Signed-off-by: Michael Chan <>
Signed-off-by: David S. Miller <>
12 years agobnx2: Fix lost MSI-X problem on 5709 NICs.
Michael Chan [Tue, 27 Apr 2010 11:28:09 +0000 (11:28 +0000)]
bnx2: Fix lost MSI-X problem on 5709 NICs.

It has been reported that under certain heavy traffic conditions in MSI-X
mode, the driver can lose an MSI-X vector causing all packets in the
associated rx/tx ring pair to be dropped.  The problem is caused by
the chip dropping the write to unmask the MSI-X vector by the kernel
(when migrating the IRQ for example).

This can be prevented by increasing the GRC timeout value for these
register read and write operations.

Thanks to Dell for helping us debug this problem.

Signed-off-by: Michael Chan <>
Signed-off-by: David S. Miller <>
12 years agocxgb3: Wait longer for control packets on initialization
Andre Detsch [Mon, 26 Apr 2010 05:38:27 +0000 (05:38 +0000)]
cxgb3: Wait longer for control packets on initialization

In some Power7 platforms, when using VIOS (Virtual I/O Server), we
need to wait longer for control packets to finish transfer during
Without this change, initialization may fail prematurely.

Signed-off-by: Wen Xiong <>
Signed-off-by: Andre Detsch <>
Acked-by: Divy Le Ray <>
Signed-off-by: David S. Miller <>
12 years agoe1000e: enable/disable ASPM L0s and L1 and ERT according to hardware errata
Bruce Allan [Tue, 27 Apr 2010 03:33:04 +0000 (03:33 +0000)]
e1000e: enable/disable ASPM L0s and L1 and ERT according to hardware errata

Prompted by a previous patch submitted by Matthew Garret <>,
further digging into errata documentation reveals the current enabling or
disabling of ASPM L0s and L1 states for certain parts supported by this
driver are incorrect.  82571 and 82572 should always disable L1.  For
standard frames, 82573/82574/82583 can enable L1 but L0s must be disabled,
and for jumbo frames 82573/82574 must disable L1.  This allows for some
parts to enable L1 in certain configurations leading to better power

Also according to the same errata, Early Receive (ERT) should be disabled
on 82573 when using jumbo frames.

Cc: Matthew Garret <>
Signed-off-by: Bruce Allan <>
Signed-off-by: Jeff Kirsher <>
Signed-off-by: David S. Miller <>
12 years agoixgbe: Power down PHY during driver resets
Peter Waskiewicz [Tue, 27 Apr 2010 00:38:15 +0000 (00:38 +0000)]
ixgbe: Power down PHY during driver resets

The PHY laser is still on during driver init.  It's allowing
garbage to hit our FIFO, which eventually can cause the entire
device to die.  Power down the laser while setting up the device,
and re-enable the laser before getting link.

Signed-off-by: Peter P Waskiewicz Jr <>
Signed-off-by: Jeff Kirsher <>
Signed-off-by: David S. Miller <>
12 years agor8169: more broken register writes workaround
françois romieu [Mon, 26 Apr 2010 11:42:58 +0000 (11:42 +0000)]
r8169: more broken register writes workaround

78f1cd02457252e1ffbc6caa44a17424a45286b8 ("fix broken register writes")
does not work for Al Viro's r8169 (XID 18000000).

Signed-off-by: Francois Romieu <>
Signed-off-by: David S. Miller <>
12 years agor8169: failure to enable mwi should not be fatal
françois romieu [Mon, 26 Apr 2010 11:42:06 +0000 (11:42 +0000)]
r8169: failure to enable mwi should not be fatal

Few (6) network drivers enable mwi explicitly. Fewer worry about a

It is not a fix but it should avoid some annoyance like

Signed-off-by: Francois Romieu <>
Cc: Conrad Kostecki <>
Signed-off-by: David S. Miller <>
12 years agobridge br_multicast: Ensure to initialize BR_INPUT_SKB_CB(skb)->mrouters_only.
YOSHIFUJI Hideaki / 吉藤英明 [Sun, 25 Apr 2010 08:59:07 +0000 (08:59 +0000)]
bridge br_multicast: Ensure to initialize BR_INPUT_SKB_CB(skb)->mrouters_only.

Even with commit 32dec5dd0233ebffa9cae25ce7ba6daeb7df4467 ("bridge
br_multicast: Don't refer to BR_INPUT_SKB_CB(skb)->mrouters_only
without IGMP snooping."), BR_INPUT_SKB_CB(skb)->mrouters_only is
not appropriately initialized if IGMP snooping support is
compiled and disabled, so we can see garbage.

Signed-off-by: YOSHIFUJI Hideaki <>
Signed-off-by: David S. Miller <>
12 years agoieee802154: Fix oops during ieee802154_sock_ioctl
Stefan Schmidt [Mon, 26 Apr 2010 18:20:32 +0000 (11:20 -0700)]
ieee802154: Fix oops during ieee802154_sock_ioctl

Trying to run izlisten (from lowpan-tools tests) on a device that does not
exists I got the oops below. The problem is that we are using get_dev_by_name
without checking if we really get a device back. We don't in this case and
writing to dev->type generates this oops.

[Oops code removed by Dmitry Eremin-Solenikov]

If possible this patch should be applied to the current -rc fixes branch.

Signed-off-by: Stefan Schmidt <>
Signed-off-by: Dmitry Eremin-Solenikov <>
Signed-off-by: David S. Miller <>
12 years agop54pci: fix bugs in p54p_check_tx_ring
Hans de Goede [Thu, 22 Apr 2010 17:52:16 +0000 (19:52 +0200)]
p54pci: fix bugs in p54p_check_tx_ring

Hans de Goede identified a bug in p54p_check_tx_ring:

there are two ring indices. 1 => tx data and 3 => tx management.
But the old code had a constant "1" and this resulted in spurious
dma unmapping failures.

Bug-Identified-by: Hans de Goede <>
Signed-off-by: Christian Lamparter <>
Signed-off-by: John W. Linville <>
12 years agotg3: Fix INTx fallback when MSI fails
Andre Detsch [Mon, 26 Apr 2010 07:27:07 +0000 (07:27 +0000)]
tg3: Fix INTx fallback when MSI fails

tg3: Fix INTx fallback when MSI fails

MSI setup changes the value of irq_vec in struct tg3 *tp.
This attribute must be taken into account and restored before
we try to do a new request_irq for INTx fallback.

In powerpc, the original code was leading to an EINVAL return within
request_irq, because the driver was trying to use the disabled MSI
virtual irq number instead of tp->pdev->irq.

Signed-off-by: Andre Detsch <>
Acked-by: Michael Chan <>
Signed-off-by: David S. Miller <>
12 years agoipv6: Fix inet6_csk_bind_conflict()
Eric Dumazet [Sun, 25 Apr 2010 22:09:42 +0000 (15:09 -0700)]
ipv6: Fix inet6_csk_bind_conflict()

Commit fda48a0d7a84 (tcp: bind() fix when many ports are bound)
introduced a bug on IPV6 part.
We should not call ipv6_addr_any(inet6_rcv_saddr(sk2)) but
ipv6_addr_any(inet6_rcv_saddr(sk)) because sk2 can be IPV4, while sk is

Reported-by: Michael S. Tsirkin <>
Signed-off-by: Eric Dumazet <>
Tested-by: Michael S. Tsirkin <>
Signed-off-by: David S. Miller <>
12 years agoe100: Fix the TX workqueue race
Alan Cox [Sun, 25 Apr 2010 04:09:29 +0000 (21:09 -0700)]
e100: Fix the TX workqueue race

Nothing stops the workqueue being left to run in parallel with close or a
few other operations. This causes double unmaps and the like.

See #1041230 for an example

Signed-off-by: Alan Cox <>
Signed-off-by: David S. Miller <>
12 years agogianfar: Fix potential oops during OF address translation
Anton Vorontsov [Fri, 23 Apr 2010 07:12:44 +0000 (07:12 +0000)]
gianfar: Fix potential oops during OF address translation

gianfar driver may pass NULL pointer to the of_translate_address(),
which may lead to a kernel oops. Fix this by using of_iomap(), which
is also much simpler and shorter.

Signed-off-by: Anton Vorontsov <>
Signed-off-by: David S. Miller <>
12 years agofsl_pq_mdio: Fix kernel oops during OF address translation
Anton Vorontsov [Fri, 23 Apr 2010 07:12:35 +0000 (07:12 +0000)]
fsl_pq_mdio: Fix kernel oops during OF address translation

Old P1020RDB device trees were not specifing tbipa address for
MDIO nodes, which is now causing this kernel oops:

 eth2: TX BD ring size for Q[6]: 256
 eth2: TX BD ring size for Q[7]: 256
 Unable to handle kernel paging request for data at address 0x00000000
 Faulting instruction address: 0xc0015504
 Oops: Kernel access of bad area, sig: 11 [#1]
 NIP [c0015504] memcpy+0x3c/0x9c
 LR [c000a9f8] __of_translate_address+0xfc/0x21c
 Call Trace:
 [df839e00] [c000a94c] __of_translate_address+0x50/0x21c (unreliable)
 [df839e50] [c01a33e8] get_gfar_tbipa+0xb0/0xe0

The old device trees are buggy, though having a dead ethernet is
better than a dead kernel, so fix the issue by using of_iomap().

Also, a somewhat similar issue exist in the probe() routine, though
there the oops is only a possibility. Nonetheless, fix it too.

Signed-off-by: Anton Vorontsov <>
Signed-off-by: David S. Miller <>
12 years agotcp: bind() fix when many ports are bound
Eric Dumazet [Wed, 21 Apr 2010 09:26:15 +0000 (09:26 +0000)]
tcp: bind() fix when many ports are bound

Port autoselection done by kernel only works when number of bound
sockets is under a threshold (typically 30000).

When this threshold is over, we must check if there is a conflict before
exiting first loop in inet_csk_get_port()

Change inet_csk_bind_conflict() to forbid two reuse-enabled sockets to
bind on same (address,port) tuple (with a non ANY address)

Same change for inet6_csk_bind_conflict()

Reported-by: Gaspar Chilingarov <>
Signed-off-by: Eric Dumazet <>
Acked-by: Evgeniy Polyakov <>
Signed-off-by: David S. Miller <>
12 years agordma: potential ERR_PTR dereference
Dan Carpenter [Wed, 21 Apr 2010 23:55:27 +0000 (23:55 +0000)]
rdma: potential ERR_PTR dereference

In the original code, the "goto out" calls "rdma_destroy_id(cm_id);"
That isn't needed here and would cause problems because "cm_id" is an
ERR_PTR.  The new code just returns directly.

Signed-off-by: Dan Carpenter <>
Acked-by: Andy Grover <>
Signed-off-by: David S. Miller <>
12 years agortnetlink: potential ERR_PTR dereference
Dan Carpenter [Wed, 21 Apr 2010 23:53:27 +0000 (23:53 +0000)]
rtnetlink: potential ERR_PTR dereference

In the original code, if rtnl_create_link() returned an ERR_PTR then that
would get passed to rtnl_configure_link() which dereferences it.

Signed-off-by: Dan Carpenter <>
Acked-by: Patrick McHardy <>
Signed-off-by: David S. Miller <>
12 years agonet: ipv6 bind to device issue
Jiri Olsa [Tue, 20 Apr 2010 21:21:26 +0000 (21:21 +0000)]
net: ipv6 bind to device issue

The issue raises when having 2 NICs both assigned the same
IPv6 global address.

If a sender binds to a particular NIC (SO_BINDTODEVICE),
the outgoing traffic is being sent via the first found.
The bonded device is thus not taken into an account during the

From the ip6_route_output function:

If the binding address is multicast, linklocal or loopback,
the RT6_LOOKUP_F_IFACE bit is set, but not for global address.

So binding global address will neglect SO_BINDTODEVICE-binded device,
because the fib6_rule_lookup function path won't check for the
flowi::oif field and take first route that fits.

Signed-off-by: Jiri Olsa <>
Signed-off-by: Scott Otto <>
Signed-off-by: David S. Miller <>
12 years agoipv6: allow to send packet after receiving ICMPv6 Too Big message with MTU field...
Shan Wei [Sun, 18 Apr 2010 16:58:22 +0000 (16:58 +0000)]
ipv6: allow to send packet after receiving ICMPv6 Too Big message with MTU field less than IPV6_MIN_MTU

According to RFC2460, PMTU is set to the IPv6 Minimum Link
MTU (1280) and a fragment header should always be included
after a node receiving Too Big message reporting PMTU is
less than the IPv6 Minimum Link MTU.

After receiving a ICMPv6 Too Big message reporting PMTU is
less than the IPv6 Minimum Link MTU, sctp *can't* send any
data/control chunk that total length including IPv6 head
and IPv6 extend head is less than IPV6_MIN_MTU(1280 bytes).

The failure occured in p6_fragment(), about reason
see following(take SHUTDOWN chunk for example):
sctp_packet_transmit (SHUTDOWN chunk, len=16 byte)
|------sctp_v6_xmit (local_df=0)
       |------ip6_output (dst_allfrag is ture)

In ip6_fragment(), for local_df=0, drops the the packet
and returns EMSGSIZE.

The patch fixes it with adding check length of skb->len.
In this case, Ipv6 not to fragment upper protocol data,
just only add a fragment header before it.

Signed-off-by: Shan Wei <>
Signed-off-by: David S. Miller <>
12 years agodrivers/net/usb: Add new driver ipheth
Diego Giagio [Sun, 18 Apr 2010 08:35:16 +0000 (08:35 +0000)]
drivers/net/usb: Add new driver ipheth

Add new driver to use tethering with an iPhone device. After initial submission,
apply fixes to fit the new driver into the kernel standards.

There are still a couple of minor (almost cosmetic-level) issues, but the driver
is fully functional right now.

Signed-off-by: L. Alberto Giménez <>
Signed-off-by: Diego Giagio <>
Signed-off-by: David S. Miller <>
12 years agocxgb3: fix linkup issue
Hiroshi Shimamoto [Mon, 19 Apr 2010 15:32:20 +0000 (15:32 +0000)]
cxgb3: fix linkup issue

I encountered an issue that not to link up on cxgb3 fabric.
I bisected and found that this regression was introduced by

Correct to pass phy_addr to cphy_init() at t3_xaui_direct_phy_prep().

Signed-off-by: Hiroshi Shimamoto <>
Acked-by: Divy Le Ray <>
Signed-off-by: David S. Miller <>
12 years agoX25 fix dead unaccepted sockets
andrew hendry [Sat, 17 Apr 2010 14:17:32 +0000 (14:17 +0000)]
X25 fix dead unaccepted sockets

1, An X25 program binds and listens
2, calls arrive waiting to be accepted
3, Program exits without accepting
4, Sockets time out but don't get correctly cleaned up
5, cat /proc/net/x25/socket shows the dead sockets with bad inode fields.

This line borrowed from AX25 sets the dying socket so the timers clean up later.

Signed-off-by: Andrew Hendry <>
Signed-off-by: David S. Miller <>
12 years agoKS8851: NULL pointer dereference if list is empty
Abraham Arce [Fri, 16 Apr 2010 14:48:43 +0000 (14:48 +0000)]
KS8851: NULL pointer dereference if list is empty

Fix NULL pointer dereference in ks8851_tx_work by checking if dequeued
list is already empty before writing the packet to TX FIFO

 Unable to handle kernel NULL pointer dereference at virtual address 00000050
 PC is at ks8851_tx_work+0xdc/0x1b0
 LR is at wait_for_common+0x148/0x164
 pc : [<c01c0df4>]    lr : [<c025a980>]    psr: 20000013

Signed-off-by: Abraham Arce <>
Signed-off-by: David S. Miller <>
12 years agonet: 3c574_cs fix stats.tx_bytes counter
Alexander Kurz [Fri, 16 Apr 2010 03:01:01 +0000 (03:01 +0000)]
net: 3c574_cs fix stats.tx_bytes counter

Update the stats counter calculation in 3c574_cs, similar
to the method used in 3c589_cs. This corrects the contents
of the counter on tests using a "Megahertz 574B" card.

[ clean up commit message]
Signed-off-by: Alexander Kurz <>
Signed-off-by: Dominik Brodowski <>
Signed-off-by: David S. Miller <>
12 years agoxfrm6: ensure to use the same dev when building a bundle
Nicolas Dichtel [Wed, 21 Apr 2010 23:25:30 +0000 (16:25 -0700)]
xfrm6: ensure to use the same dev when building a bundle

When building a bundle, we set and rt6.rt6i_idev.
We must ensure to set the same device for both fields.

Signed-off-by: Nicolas Dichtel <>
Signed-off-by: David S. Miller <>
12 years agocan: Fix possible NULL pointer dereference in ems_usb.c
Hans J. Koch [Wed, 21 Apr 2010 00:18:06 +0000 (00:18 +0000)]
can: Fix possible NULL pointer dereference in ems_usb.c

In ems_usb_probe(), a pointer is dereferenced after making sure it is NULL...

This patch replaces netdev->dev.parent with &intf->dev in dev_err() calls to
avoid this.

Signed-off-by: "Hans J. Koch" <>
Acked-by: Wolfgang Grandegger <>
Signed-off-by: David S. Miller <>
12 years agonet: Fix an RCU warning in dev_pick_tx()
David Howells [Tue, 20 Apr 2010 00:25:58 +0000 (00:25 +0000)]
net: Fix an RCU warning in dev_pick_tx()

Fix the following RCU warning in dev_pick_tx():

[ INFO: suspicious rcu_dereference_check() usage. ]
net/core/dev.c:1993 invoked rcu_dereference_check() without protection!

other info that might help us debug this:

rcu_scheduler_active = 1, debug_locks = 0
2 locks held by swapper/0:
 #0:  (&idev->mc_ifc_timer){+.-...}, at: [<ffffffff81039e65>] run_timer_softirq+0x17b/0x278
 #1:  (rcu_read_lock_bh){.+....}, at: [<ffffffff812ea3eb>] dev_queue_xmit+0x14e/0x4dc

stack backtrace:
Pid: 0, comm: swapper Not tainted 2.6.34-rc5-cachefs #4
Call Trace:
 <IRQ>  [<ffffffff810516c4>] lockdep_rcu_dereference+0xaa/0xb2
 [<ffffffff812ea4f6>] dev_queue_xmit+0x259/0x4dc
 [<ffffffff812ea3eb>] ? dev_queue_xmit+0x14e/0x4dc
 [<ffffffff81052324>] ? trace_hardirqs_on+0xd/0xf
 [<ffffffff81035362>] ? local_bh_enable_ip+0xbc/0xc1
 [<ffffffff812f0954>] neigh_resolve_output+0x24b/0x27c
 [<ffffffff8134f673>] ip6_output_finish+0x7c/0xb4
 [<ffffffff81350c34>] ip6_output2+0x256/0x261
 [<ffffffff81052324>] ? trace_hardirqs_on+0xd/0xf
 [<ffffffff813517fb>] ip6_output+0xbbc/0xbcb
 [<ffffffff8135bc5d>] ? fib6_force_start_gc+0x2b/0x2d
 [<ffffffff81368acb>] mld_sendpack+0x273/0x39d
 [<ffffffff81368858>] ? mld_sendpack+0x0/0x39d
 [<ffffffff81052099>] ? mark_held_locks+0x52/0x70
 [<ffffffff813692fc>] mld_ifc_timer_expire+0x24f/0x288
 [<ffffffff81039ed6>] run_timer_softirq+0x1ec/0x278
 [<ffffffff81039e65>] ? run_timer_softirq+0x17b/0x278
 [<ffffffff813690ad>] ? mld_ifc_timer_expire+0x0/0x288
 [<ffffffff81035531>] ? __do_softirq+0x69/0x140
 [<ffffffff8103556a>] __do_softirq+0xa2/0x140
 [<ffffffff81002e0c>] call_softirq+0x1c/0x28
 [<ffffffff81004b54>] do_softirq+0x38/0x80
 [<ffffffff81034f06>] irq_exit+0x45/0x47
 [<ffffffff810177c3>] smp_apic_timer_interrupt+0x88/0x96
 [<ffffffff810028d3>] apic_timer_interrupt+0x13/0x20
 <EOI>  [<ffffffff810488dd>] ? __atomic_notifier_call_chain+0x0/0x86
 [<ffffffff810096bf>] ? mwait_idle+0x6e/0x78
 [<ffffffff810096b6>] ? mwait_idle+0x65/0x78
 [<ffffffff810011cb>] cpu_idle+0x4d/0x83
 [<ffffffff81380b05>] rest_init+0xb9/0xc0
 [<ffffffff81380a4c>] ? rest_init+0x0/0xc0
 [<ffffffff8168dcf0>] start_kernel+0x392/0x39d
 [<ffffffff8168d2a3>] x86_64_start_reservations+0xb3/0xb7
 [<ffffffff8168d38b>] x86_64_start_kernel+0xe4/0xeb

An rcu_dereference() should be an rcu_dereference_bh().

Signed-off-by: David Howells <>
Acked-by: Eric Dumazet <>
Signed-off-by: David S. Miller <>
12 years agoMerge branch 'master' of /home/davem/src/GIT/linux-2.6/
David S. Miller [Wed, 21 Apr 2010 07:50:39 +0000 (00:50 -0700)]
Merge branch 'master' of /home/davem/src/GIT/linux-2.6/

12 years agoipv6: Fix tcp_v6_send_response transport header setting.
Herbert Xu [Wed, 21 Apr 2010 07:47:15 +0000 (00:47 -0700)]
ipv6: Fix tcp_v6_send_response transport header setting.

My recent patch to remove the open-coded checksum sequence in
tcp_v6_send_response broke it as we did not set the transport
header pointer on the new packet.

Actually, there is code there trying to set the transport
header properly, but it sets it for the wrong skb ('skb'
instead of 'buff').

This bug was introduced by commit
a8fdf2b331b38d61fb5f11f3aec4a4f9fb2dedcb ("ipv6: Fix
tcp_v6_send_response(): it didn't set skb transport header")

Signed-off-by: Herbert Xu <>
Signed-off-by: David S. Miller <>
12 years agobridge: add a missing ntohs()
Eric Dumazet [Tue, 20 Apr 2010 03:20:05 +0000 (03:20 +0000)]
bridge: add a missing ntohs()

grec_nsrcs is in network order, we should convert to host horder in

Signed-off-by: Eric Dumazet <>
Acked-by: Herbert Xu <>
Signed-off-by: David S. Miller <>
12 years agoMerge branch 'master' of git://
David S. Miller [Wed, 21 Apr 2010 00:57:56 +0000 (17:57 -0700)]
Merge branch 'master' of git://git./linux/kernel/git/linville/wireless-2.6

12 years agoMerge branch 'for_linus' of git://
Linus Torvalds [Tue, 20 Apr 2010 16:39:40 +0000 (09:39 -0700)]
Merge branch 'for_linus' of git://git./linux/kernel/git/jack/linux-fs-2.6

* 'for_linus' of git://
  quota: Convert __DQUOT_PARANOIA symbol to standard config option

12 years agoquota: Convert __DQUOT_PARANOIA symbol to standard config option
Jan Kara [Mon, 19 Apr 2010 14:47:20 +0000 (16:47 +0200)]
quota: Convert __DQUOT_PARANOIA symbol to standard config option

Make __DQUOT_PARANOIA define from the old days a standard config option
and turn it off by default.

This gets rid of a quota warning about writes before quota is turned on
for systems with ext4 root filesystem. Currently there's no way to legally
solve this because /etc/mtab has to be written before quota is turned on
on most systems.

Signed-off-by: Jan Kara <>
12 years agoMerge branch 'urgent' of git://
Linus Torvalds [Tue, 20 Apr 2010 16:21:19 +0000 (09:21 -0700)]
Merge branch 'urgent' of git://git./linux/kernel/git/brodo/pcmcia-2.6

* 'urgent' of git://
  pcmcia: fix error handling in cm4000_cs.c
  drivers/pcmcia: Add missing local_irq_restore
  serial_cs: MD55x support (PCMCIA GPRS/EDGE modem) (kernel 2.6.33)
  pcmcia: avoid late calls to pccard_validate_cis
  pcmcia: fix ioport size calculation in rsrc_nonstatic
  pcmcia: re-start on MFC override
  pcmcia: fix io_probe due to parent (PCI) resources
  pcmcia: use previously assigned IRQ for all card functions

12 years agoMerge git://
Linus Torvalds [Tue, 20 Apr 2010 16:20:55 +0000 (09:20 -0700)]
Merge git://git./linux/kernel/git/davem/sparc-2.6

* git://
  sparc64: Fix hardirq tracing in trap return path.
  sparc64: Use correct pt_regs in decode_access_size() error paths.
  sparc64: Fix PREEMPT_ACTIVE value.
  sparc64: Run NMIs on the hardirq stack.
  sparc64: Allocate sufficient stack space in ftrace stubs.
  sparc: Fix forgotten kmemleak headers inclusion

12 years agoMerge branch 'perf-fixes-for-linus' of git://
Linus Torvalds [Tue, 20 Apr 2010 16:20:23 +0000 (09:20 -0700)]
Merge branch 'perf-fixes-for-linus' of git://git./linux/kernel/git/tip/linux-2.6-tip

* 'perf-fixes-for-linus' of git://
  perf: Fix unsafe frame rewinding with hot regs fetching

12 years agoMerge branch 'drm-linus' of git://
Linus Torvalds [Tue, 20 Apr 2010 16:20:11 +0000 (09:20 -0700)]
Merge branch 'drm-linus' of git://git./linux/kernel/git/airlied/drm-2.6

* 'drm-linus' of git://
  drm: delay vblank cleanup until after driver unload

12 years agox86: correctly wire up the newuname system call
Christoph Hellwig [Tue, 20 Apr 2010 03:31:02 +0000 (05:31 +0200)]
x86: correctly wire up the newuname system call

Before commit e28cbf22933d0c0ccaf3c4c27a1a263b41f73859 ("improve
sys_newuname() for compat architectures") 64-bit x86 had a private
implementation of sys_uname which was just called sys_uname, which other
architectures used for the old uname.

Due to some merge issues with the uname refactoring patches we ended up
calling the old uname version for both the old and new system call
slots, which lead to the domainname filed never be set which caused
failures with libnss_nis.

Reported-and-tested-by: Andy Isaacson <>
Signed-off-by: Christoph Hellwig <>
Signed-off-by: Linus Torvalds <>
12 years agosparc64: Fix hardirq tracing in trap return path.
David S. Miller [Tue, 20 Apr 2010 07:48:37 +0000 (00:48 -0700)]
sparc64: Fix hardirq tracing in trap return path.

We can overflow the hardirq stack if we set the %pil here
so early, just let the normal control flow do it.

This is fine as we are allowed to do the actual IRQ enable
at any point after we call trace_hardirqs_on.

Signed-off-by: David S. Miller <>
12 years agodrm: delay vblank cleanup until after driver unload
Jesse Barnes [Fri, 26 Mar 2010 18:07:16 +0000 (11:07 -0700)]
drm: delay vblank cleanup until after driver unload

Drivers may use vblank calls now (e.g. drm_vblank_off) in their unload
paths, so don't clean up the vblank related structures until after
driver unload.

Signed-off-by: Jesse Barnes <>
Reviewed-by: Kristian Høgsberg <>
Signed-off-by: Dave Airlie <>
12 years agoLinux 2.6.34-rc5 v2.6.34-rc5
Linus Torvalds [Mon, 19 Apr 2010 23:29:56 +0000 (16:29 -0700)]
Linux 2.6.34-rc5

12 years agormap: add exclusively owned pages to the newest anon_vma
Rik van Riel [Wed, 14 Apr 2010 21:59:28 +0000 (17:59 -0400)]
rmap: add exclusively owned pages to the newest anon_vma

The recent anon_vma fixes cause many anonymous pages to end up
in the parent process anon_vma, even when the page is exclusively
owned by the current process.

Adding exclusively owned anonymous pages to the top anon_vma
reduces rmap scanning overhead, especially in workloads with
forking servers.

This patch adds a parameter to __page_set_anon_rmap that can
be used to indicate whether or not the added page is exclusively
owned by the current process.

Pages added through page_add_new_anon_rmap are exclusively
owned by the current process, and can be added to the top

Pages added through page_add_anon_rmap can be either shared
or exclusively owned, so we do the conservative thing and
add it to the oldest anon_vma.

A next step would be to add the exclusive parameter to
page_add_anon_rmap, to be used from functions where we do
know for sure whether a page is exclusively owned.

Signed-off-by: Rik van Riel <>
Reviewed-by: Johannes Weiner <>
Lightly-tested-by: Borislav Petkov <>
Reviewed-by: Minchan Kim <>
[ Edited to look nicer  - Linus ]
Signed-off-by: Linus Torvalds <>
12 years agoMerge branch 'for-linus' of git://
Linus Torvalds [Mon, 19 Apr 2010 21:20:32 +0000 (14:20 -0700)]
Merge branch 'for-linus' of git://git./linux/kernel/git/ecryptfs/ecryptfs-2.6

* 'for-linus' of git://
  eCryptfs: Turn lower lookup error messages into debug messages
  eCryptfs: Copy lower directory inode times and size on link
  ecryptfs: fix use with tmpfs by removing d_drop from ecryptfs_destroy_inode
  ecryptfs: fix error code for missing xattrs in lower fs
  eCryptfs: Decrypt symlink target for stat size
  eCryptfs: Strip metadata in xattr flag in encrypted view
  eCryptfs: Clear buffer before reading in metadata xattr
  eCryptfs: Rename ecryptfs_crypt_stat.num_header_bytes_at_front
  eCryptfs: Fix metadata in xattr feature regression

12 years ago8139too: Fix a typo in the function name.
Alexander Kuznetsov [Mon, 19 Apr 2010 21:17:43 +0000 (14:17 -0700)]
8139too: Fix a typo in the function name.

Signed-off-by: Alexander Kuznetsov <>
Signed-off-by: David S. Miller <>
12 years agosparc64: Use correct pt_regs in decode_access_size() error paths.
David S. Miller [Mon, 19 Apr 2010 20:46:48 +0000 (13:46 -0700)]
sparc64: Use correct pt_regs in decode_access_size() error paths.

Signed-off-by: David S. Miller <>
12 years agomac80211: pass HT changes to driver when off channel
Reinette Chatre [Mon, 19 Apr 2010 17:46:31 +0000 (10:46 -0700)]
mac80211: pass HT changes to driver when off channel

Since "mac80211: make off-channel work generic" drivers have not been
notified of configuration changes after association or authentication. This
caused more dependence on current state to ensure driver will be notified
when configuration changes occur. One such problem arises if off-channel is
in progress when HT information changes. Since HT is only enabled on the
"oper_channel" the driver will never be notified of this change. Usually
the driver is notified soon after of a BSS information change
(BSS_CHANGED_HT) ... but since the driver did not get a notification that
this is a HT channel the new BSS information does not make sense.

Fix this by also changing the off-channel information when HT is enabled
and thus cause driver to be notified correctly.

This fixes a problem in 4965 when associated with 5GHz 40MHz channel.
Without this patch the system can associate but is unable to transfer any
data, not even ping.


Signed-off-by: Reinette Chatre <>
Signed-off-by: John W. Linville <>
12 years agomac80211: remove bogus TX agg state assignment
Johannes Berg [Mon, 19 Apr 2010 08:48:38 +0000 (10:48 +0200)]
mac80211: remove bogus TX agg state assignment

When the addba timer expires but has no work to do,
it should not affect the state machine. If it does,
TX will not see the successfully established and we
can also crash trying to re-establish the session.

Cc: [2.6.32, 2.6.33]
Signed-off-by: Johannes Berg <>
Signed-off-by: John W. Linville <>
12 years agoeCryptfs: Turn lower lookup error messages into debug messages
Tyler Hicks [Thu, 25 Mar 2010 16:16:56 +0000 (11:16 -0500)]
eCryptfs: Turn lower lookup error messages into debug messages

Vaugue warnings about ENAMETOOLONG errors when looking up an encrypted
file name have caused many users to become concerned about their data.
Since this is a rather harmless condition, I'm moving this warning to
only be printed when the ecryptfs_verbosity module param is 1.

Signed-off-by: Tyler Hicks <>
12 years agoeCryptfs: Copy lower directory inode times and size on link
Tyler Hicks [Tue, 23 Mar 2010 23:09:02 +0000 (18:09 -0500)]
eCryptfs: Copy lower directory inode times and size on link

The timestamps and size of a lower inode involved in a link() call was
being copied to the upper parent inode.  Instead, we should be
copying lower parent inode's timestamps and size to the upper parent
inode.  I discovered this bug using the POSIX test suite at Tuxera.

Signed-off-by: Tyler Hicks <>
12 years agoecryptfs: fix use with tmpfs by removing d_drop from ecryptfs_destroy_inode
Jeff Mahoney [Fri, 19 Mar 2010 19:35:46 +0000 (15:35 -0400)]
ecryptfs: fix use with tmpfs by removing d_drop from ecryptfs_destroy_inode

Since tmpfs has no persistent storage, it pins all its dentries in memory
so they have d_count=1 when other file systems would have d_count=0.
->lookup is only used to create new dentries. If the caller doesn't
instantiate it, it's freed immediately at dput(). ->readdir reads
directly from the dcache and depends on the dentries being hashed.

When an ecryptfs mount is mounted, it associates the lower file and dentry
with the ecryptfs files as they're accessed. When it's umounted and
destroys all the in-memory ecryptfs inodes, it fput's the lower_files and
d_drop's the lower_dentries. Commit 4981e081 added this and a d_delete in
2008 and several months later commit caeeeecf removed the d_delete. I
believe the d_drop() needs to be removed as well.

The d_drop effectively hides any file that has been accessed via ecryptfs
from the underlying tmpfs since it depends on it being hashed for it to
be accessible. I've removed the d_drop on my development node and see no
ill effects with basic testing on both tmpfs and persistent storage.

As a side effect, after ecryptfs d_drops the dentries on tmpfs, tmpfs
BUGs on umount. This is due to the dentries being unhashed.
tmpfs->kill_sb is kill_litter_super which calls d_genocide to drop
the reference pinning the dentry. It skips unhashed and negative dentries,
but shrink_dcache_for_umount_subtree doesn't. Since those dentries
still have an elevated d_count, we get a BUG().

This patch removes the d_drop call and fixes both issues.

This issue was reported at:

Reported-by: Árpád Bíró <>
Signed-off-by: Jeff Mahoney <>
Cc: Dustin Kirkland <>
Signed-off-by: Tyler Hicks <>
12 years agoecryptfs: fix error code for missing xattrs in lower fs
Christian Pulvermacher [Tue, 23 Mar 2010 16:51:38 +0000 (11:51 -0500)]
ecryptfs: fix error code for missing xattrs in lower fs

If the lower file system driver has extended attributes disabled,
ecryptfs' own access functions return -ENOSYS instead of -EOPNOTSUPP.
This breaks execution of programs in the ecryptfs mount, since the
kernel expects the latter error when checking for security
capabilities in xattrs.

Signed-off-by: Christian Pulvermacher <>
Signed-off-by: Tyler Hicks <>
12 years agoeCryptfs: Decrypt symlink target for stat size
Tyler Hicks [Mon, 22 Mar 2010 05:41:35 +0000 (00:41 -0500)]
eCryptfs: Decrypt symlink target for stat size

Create a getattr handler for eCryptfs symlinks that is capable of
reading the lower target and decrypting its path.  Prior to this patch,
a stat's st_size field would represent the strlen of the encrypted path,
while readlink() would return the strlen of the decrypted path.  This
could lead to confusion in some userspace applications, since the two
values should be equal.

Reported-by: Loïc Minier <>
Signed-off-by: Tyler Hicks <>
12 years agoFix ISDN/Gigaset build failure
Linus Torvalds [Mon, 19 Apr 2010 18:53:17 +0000 (11:53 -0700)]
Fix ISDN/Gigaset build failure

Commit b91ecb00 ("gigaset: include cleanup cleanup") removed an implicit
sched.h inclusion that came in via slab.h, and caused various compile
problems as a result.

This should fix it.

Reported-by: Ingo Molnar <>
Signed-off-by: Linus Torvalds <>
12 years agoMerge branch 'core-fixes-for-linus' of git://
Linus Torvalds [Mon, 19 Apr 2010 15:35:47 +0000 (08:35 -0700)]
Merge branch 'core-fixes-for-linus' of git://git./linux/kernel/git/tip/linux-2.6-tip

* 'core-fixes-for-linus' of git://
  rcu: Make RCU lockdep check the lockdep_recursion variable
  rcu: Update docs for rcu_access_pointer and rcu_dereference_protected
  rcu: Better explain the condition parameter of rcu_dereference_check()
  rcu: Add rcu_access_pointer and rcu_dereference_protected

12 years agoMerge git://
Linus Torvalds [Mon, 19 Apr 2010 14:27:45 +0000 (07:27 -0700)]
Merge git://git./linux/kernel/git/davem/net-2.6

* git://
  gigaset: include cleanup cleanup
  packet : remove init_net restriction
  WAN: flush tx_queue in hdlc_ppp to prevent panic on rmmod hw_driver.
  ip: Fix ip_dev_loopback_xmit()
  net: dev_pick_tx() fix
  fib: suppress lockdep-RCU false positive in FIB trie.
  tun: orphan an skb on tx
  forcedeth: fix tx limit2 flag check
  iwlwifi: work around bogus active chains detection